[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck

On Thu, Sep 21, 2000 at 06:09:48PM -0500, debian-isp@ghost.net.cfw.com wrote:
> Hey Russel and Group,
> Thanks for the continuing discussion.
> > Nobody suing to root is not non-threatening!  Ideally you would have a group 
> > wheel or root required for su to root to prevent this.  Currently I haven't as 
> > I haven't got the PAM setup for it going yet.
> PAM is acronym for 'password authentication mode' ?

Um, no.

PAM = Pluggable authentication modules, though it can do a bit more than
just authentication.

Basically with Potato and later most programs that fondle /etc/passwd
type stuff do so through (at least optionally) PAM, which means you can
take a handy stack of pluggable modules and insert them into the
authentication sequence.

Suppose, for example, you want a trivial way to stop people from getting
mail when you change their shell to /bin/false.  Just make sure
/bin/false isn't in /etc/shells and add:

auth     required       pam_shells.o

to /etc/pam.d/pop -- and magically, their pop3 access breaks if they
have an invalid shell, just like it would for ftp.

> I know that BSD uses a wheel group that needs to be enacted before a su
> can happen. What means are you considering doing this?

The best way to do that on Linux is, again, with PAM.  Sure, you could
grab the source to su and change a #define and make it the BSD way, but
PAM makes it easier:

In /etc/pam.d/su:
# Uncomment this to force users to be a member of group root
# before than can use `su'. You can also add "group=foo" to
# to the end of this line if you want to use a group other
# than the default "root".
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

If you're nutso and want to allow anyone in a given group to be able to su
to anything with no password, there's an option for that, too.  Or you
could forbid a certain group from su'ing at all.

PAM gives you the ability to customize all the usual authentication in
any weird way you want without rebuilding every binary to do it.  There
are a whole stack of modules to do all sorts of goofy things (one of my
faves, though it's not included with Debian, is 'pam_make', which runs a
'make -C /some/path' when people change their password, very useful if
you use nsswitch to have a db-based password file).

> Also, would something be running from cron that does this every morning at
> 6:23 AM? Anyone know how I can investigate furthur?

You mean like this:
Sep 21 06:25:22 thorin su[18136]: + ??? root-nobody 
Sep 21 06:25:22 thorin PAM_unix[18136]: (su) session opened for user nobody by (uid=0)

That's from cron.daily, most likely from updatedb.  It's started by root
(as all the daily cron's are), and then su's itself to nobody to drop
privs.  Don't worry about root->nobody .. worry if it's the other way
around. :)

Reply to: